Lecture ‐ NAT - Dleifnesor/NET-215 GitHub Wiki

NET 215 - Network Address Translation

Private IPs and Modern Networks

IPv4 Exhaustion

  • All IPv4 addresses have been assigned by IANA.
  • Organizations typically have limited public IP addresses.
  • Most organizations have more systems than public IPs.
  • Solution: Use private IP ranges for internal systems:
    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/24
  • Private IP ranges are not routable on the Internet.

NAT - Network Address Translation

What is NAT?

Network Address Translation (NAT) is a method of:

  • Remapping one IP address space into another.
  • Modifying network address information in IP packet headers.
  • Occurs in transit across a routing device.

NAT in the Enterprise

Example Scenario:

  • Medical Center’s ISP provides a public IP network: 210.84.27.0/24 (254 public IPs).
  • This may be enough for public-facing servers but not for thousands of clients.
  • Solution: NAT!
    • Clients make outbound connections and share public IPs.
    • A NAT router translates private-to-public IPs and tracks translations.

Why NAT?

  • Solves IPv4 exhaustion by enabling private IPs on internal networks.
  • Allows public IP sharing for outbound connections.
  • Example: An organization with 1,000 users may be assigned 202.202.202.128/25 (126 public IPs) by their ISP.

NAT and Security

  • Provides some security, but not its primary purpose.
  • Hosts using private IPs cannot be directly accessed from outside.

NAT - IP Masquerading

  • The NAT type used in labs is called IP Masquerading.
  • Common for client networks with outbound connections.
  • No public servers needed.
  • The private source IP address is changed into a public IP address.

How IP Masquerading Works:

  • Only allows communication when initiated inside the network.
  • Example:
    • A client inside can browse a website outside.
    • A web client outside cannot browse a website hosted inside.
  • Routers maintain stateful translation tables to track conversations.

PAT - Port Address Translation

  • A common implementation of IP Masquerading.
  • Allows multiple devices on a LAN to share a single public IP.
  • Primary goal: Conserve IP addresses.
  • Secondary goal: Masquerading.
  • Widely used by enterprises for client and wireless subnets.
  • ISPs use NAT for home networks.

How PAT Works:

  • PAT devices track sessions using source TCP port numbers:
    • Destination Port: Identifies the service (e.g., 22/SSH, 80/HTTP).
    • Source Port: Ephemeral port (1-65535) chosen by the client.
    • The PAT router maps source ports to track sessions.

Other Considerations for NAT

  • IP Masquerading and PAT are common implementations, but other methods exist:
    • Static NAT
    • Dynamic NAT
    • Port Forwarding
  • These address issues such as:
    • Inbound NAT for server access.
    • Private-to-private network remapping.
    • More advanced configurations in Sys Admin and Network Design courses.

Key Takeaways for NET-215

  • Just as routers rewrite Layer 2 headers at each hop...
  • NAT routers rewrite Layer 3 headers, assigning a new source IP.
  • NAT routers track translations to ensure response packets return to the correct client.